CHANGE YOUR PASSWORDSIt seems we have had an unwanted visitor using an admins password, so they could extract the user database.

I have temporarily disabled session logins, so you will have to keep giving your ID at login for the moment.Cookies will now be using SSL once they are re-enabled, and I have upped the password requirement, so from now on you will need to include mixed case and numbers.

It is very unlikely that anything useful was taken, as the database is not directly accessible and the passwords are encrypted.

However unlike Companies that say "no! nothing wrong here" to keep people calm, I feel that until a full inspection is done we cannot know what has, or has not been achieved.Waiting and not saying anything until later would be irresponsible of me.

They were logged in as admin for many hours and made changes to what can be downloaded from this site.However, the database is not accessible via the admin panel and the passwords are encrypted.

Any data lifted via browsing around will be minimal because Admin don't get to see your passwords.

Our visitor claims that the shell upload did not go as planned.Again, until we know the reality we take no chances that it is not a bluff.

The outlook is good, but don't take chances.I change my passwords every month or 2 (as you should all learn to do), so for example each and every time Yahoo was hacked, my password had already been regularly changed.

I am re-enabling cookie sessions so we can go back to just walking in like normal, but they will now be using SSL so if you have any problems let us know.

I hope that the passwords are hashed and not encrypted... ;o) Even better with a bit of salt.Anyway, for me it would not a big deal if my password gets known to third, because usually I use a PW manager and a different passwords for every service. So in worst case an attacker could write "Barbie is silly" with my account here.

Dr.Flay wrote:They [...] made changes to what can be downloaded from this site

That's worse at least for people who runs everything they downloaded, because the attacker could have infected the files. Maybe you should check the time stamp of the downloadable files or even better compare them to backup versions.

Dr.Flay wrote:Our visitor claims that the shell upload did not go as planned.

What is meant by this?

"Multiple exclamation marks," he went on, shaking his head, "are a sure sign of a diseased mind." --Terry Pratchett

The claim is that the upload of a shell to make use of the changes did not finish.

Yes you are correct, I meant to say the database is encrypted and the passwords hashed. No idea if a pinch of salt is in the mix, SHADE can let us know tomorrow.Right now he is in bed sleeping, but is aware of the situation.

looking at the admin logs, not much happened, but admin logs can be deleted.No uploads are obvious at this point, and the new file extensions are not in use as far as I can see. I did find 1 that should not be allowed and removed it "js".

Use a password manager like Keepass and this breach means nothing. Already changed my password and can do so again without issue anytime. I strongly suggest that others use a manager as well with Keepass being the most secure as there is nothing stored online; your database is local, password generation ensures unique passwords every time and for every site.

Dr.Flay wrote:They were logged in as admin for many hours and made changes to what can be downloaded from this site.

To be more precise: As far as the logs tell us, he changed the allowed file extensions for attachments (he added asp, cgi, dhtm, dhtml, htm, html, jar, js, pl, sh, shtm, shtml). So for example he added *.html, which theoretically allowed him to upload html-files as attachments. It is not possible to open and run these files directly from the directory on the server, where all attachments are saved. Also, all uploaded files have encrypted file names on the server.

lmao, MD5. It has been decades! I suggest to change to something like Twofish and let the users store the encryption keys in either cookies or otherwise locally. I will ask the Valoran team for any correction I must do for this to work.

If you are hosting any sort keys they can be hooked - probably a "spyware" means nothing for a "programmer"...Else, what did I say a few previous posts ago ? Let me recall. When you have connected the Internet to your machine, security will be a cheap fake story which nobody with a sane mind will never believe.

Note: two dudes here were chatting about newer database software from M$. Well... after 2015 - 2016 they are not only expensive but are just utter craps. One of them works there, no worries, he knows some "policies". So the chaos is closer with each day passing, these "teams" are about to lose track about what they do. Security will suffer here...

Fact:In some passed year, whatever dude hacked my E-mail account (more time after a so called infection which did not exist before). Let me see damage taken at this point, not that much, but I have figured advantages coming later. Poor "Yoohoo" suddenly decided to take measures according to accounts and they have improved e-mail management. I was wondering why they did not take those measures before. Probably they could see people retiring away from them which was not a good thing about their "image" aka reputation. So... time will solve problems or will make them worst...

As I wrote above: if an attacker gets your user name and password, he can login here and write silly things. But that's probably not the aim of an attacker: because a lot of people use same username/password combination for several online services, an attacker can try if this combination also works for Paypal or Amazon or other services where money is involved. And of course that username/password combination is added to hacker's password dictionary so that these tests can be done automatically and periodically (by attackers bot net, not by his own machine^^).

Gustavo6046 wrote:lmao, MD5. It has been decades!

Yes, it it proven that you can find a token that generates the same MD5 sum as the original password. But what does the attacker win? He can login here and only at other services that also has this username/password combination stored as MD5 hash.

"Multiple exclamation marks," he went on, shaking his head, "are a sure sign of a diseased mind." --Terry Pratchett